OF-2353: Add log4j2.formatMsgNoLookups system property to startup scr…

…ipts As another mitigation for CVE-2021-4428, add the log4j2.formatMsgNoLookups system property to all Openfire start scripts that we provide.
igniterealtime · Dec 16, 2021 · 04ef47c · 04ef47c
1 parent 9e3ade6
commit 04ef47c
Show file tree

Hide file tree

Showing 7 changed files with 795 additions and 794 deletions.
diff --git a/build/debian/openfire.init.d b/build/debian/openfire.init.d
@@ -46,6 +46,7 @@ test -x $JAVA || exit 1
 
 DAEMON_OPTS="$DAEMON_OPTS -server -DopenfireHome=${DAEMON_DIR} \
  -Dlog4j.configurationFile=${DAEMON_LIB}/log4j2.xml \
+ -Dlog4j2.formatMsgNoLookups=true \
  -Dopenfire.lib.dir=${DAEMON_LIB} -classpath ${DAEMON_LIB}/startup.jar\
  -jar ${DAEMON_LIB}/startup.jar"
 

diff --git a/distribution/src/bin/extra/openfire-launchd-wrapper.sh b/distribution/src/bin/extra/openfire-launchd-wrapper.sh
@@ -12,7 +12,7 @@ function shutdown()
 date
 echo "Starting Openfire"
 
-/usr/bin/java -server -jar "$OPENFIRE_HOME/lib/startup.jar" -Dlog4j.configurationFile=$$OPENFIRE_HOME/lib/log4j2.xml -Dopenfire.lib.dir=/usr/local/openfire/lib&
+/usr/bin/java -server -jar "$OPENFIRE_HOME/lib/startup.jar" -Dlog4j.configurationFile=$$OPENFIRE_HOME/lib/log4j2.xml -Dlog4j2.formatMsgNoLookups=true -Dopenfire.lib.dir=/usr/local/openfire/lib&
 
 OPENFIRE_PID=`ps auxww | grep -v wrapper | awk '/openfire/ && !/awk/ {print $2}'`
 

diff --git a/distribution/src/bin/extra/redhat/openfire b/distribution/src/bin/extra/redhat/openfire
@@ -98,7 +98,7 @@ else
 	LOCALCLASSPATH="${OPENFIRE_LIB}/startup.jar:${LOCALCLASSPATH}"
 fi
 
-JAVACMD="${JAVACMD} -Dlog4j.configurationFile=${OPENFIRE_LIB}/log4j2.xml"
+JAVACMD="${JAVACMD} -Dlog4j.configurationFile=${OPENFIRE_LIB}/log4j2.xml -Dlog4j2.formatMsgNoLookups=true"
 
 # Export any necessary variables
 export JAVA_HOME JAVACMD

diff --git a/distribution/src/bin/openfire.bat b/distribution/src/bin/openfire.bat
@@ -16,7 +16,7 @@ goto end
 :run
 SET debug=
 if "%1" == "-debug" SET debug=-Xdebug -Xint -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8000
-start "Openfire" "%JAVA_HOME%\bin\java" %debug% -server -Djdk.tls.ephemeralDHKeySize=matched -Djsse.SSLEngine.acceptLargeFragments=true -DopenfireHome="%OPENFIRE_HOME%" -Dlog4j.configurationFile="%OPENFIRE_HOME%\lib\log4j2.xml" -Dopenfire.lib.dir="%OPENFIRE_HOME%\lib" -jar "%OPENFIRE_HOME%\lib\startup.jar"
+start "Openfire" "%JAVA_HOME%\bin\java" %debug% -server -Djdk.tls.ephemeralDHKeySize=matched -Djsse.SSLEngine.acceptLargeFragments=true -DopenfireHome="%OPENFIRE_HOME%" -Dlog4j.configurationFile="%OPENFIRE_HOME%\lib\log4j2.xml" -Dlog4j2.formatMsgNoLookups=true -Dopenfire.lib.dir="%OPENFIRE_HOME%\lib" -jar "%OPENFIRE_HOME%\lib\startup.jar"
 goto end
 
 :end

diff --git a/distribution/src/bin/openfire.sh b/distribution/src/bin/openfire.sh
@@ -132,7 +132,7 @@ esac
 done
 
 
-JAVACMD="${JAVACMD} -Dlog4j.configurationFile=${OPENFIRE_LIB}/log4j2.xml -Djdk.tls.ephemeralDHKeySize=matched -Djsse.SSLEngine.acceptLargeFragments=true"
+JAVACMD="${JAVACMD} -Dlog4j.configurationFile=${OPENFIRE_LIB}/log4j2.xml -Dlog4j2.formatMsgNoLookups=true -Djdk.tls.ephemeralDHKeySize=matched -Djsse.SSLEngine.acceptLargeFragments=true"
 
 if [ -z "$LOCALCLASSPATH" ] ; then
 	LOCALCLASSPATH=$OPENFIRE_LIB/startup.jar

diff --git a/distribution/src/bin/openfirectl b/distribution/src/bin/openfirectl
@@ -107,7 +107,7 @@ else
 	LOCALCLASSPATH="${OPENFIRE_LIB}/startup.jar:${LOCALCLASSPATH}"
 fi
 
-JAVACMD="${JAVACMD} -Dlog4j.configurationFile=${OPENFIRE_LIB}/log4j2.xml"
+JAVACMD="${JAVACMD} -Dlog4j.configurationFile=${OPENFIRE_LIB}/log4j2.xml -Dlog4j2.formatMsgNoLookups=true"
 
 # Export any necessary variables
 export JAVA_HOME JAVACMD

diff --git a/distribution/src/installer/openfire.install4j b/distribution/src/installer/openfire.install4j